This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Foiling Those Data Theives

Paul Whytock | Apr 25, 2007

Did you hear about the man who opened his high-tech hotel door with a piece of cheese? No, not the start of a joke, but a real situation that was created to demonstrate that RFID (Radio Frequency Identification) technology is vulnerable—in fact, very vulnerable—to information theft and cloning. This is particularly worrisome, because this technology is being looked at for future biometric passport applications.

But, first, let’s get back to the hotel door. It’s now known that RFID tags are very easy to read/write and to clone. So, the researcher in this case bought some RFID-tagged cheese, cloned his hotel keycard RFID tag, wrote the data to the cheese tag, and used the cheese tag to gain entry to his hotel room. Okay, so RFID cards are being hailed as the great hotel keycard. You get into you room reliably, it automates certain room charges like the minibar, controls access to the room safe, and it is durable.

But there are some big “buts” in there. Most RFID cards use data encryption. One major problem is that encryption consumes power, and the only power supply to a passive card is from the querying signal picked up using a loop antenna in the card. Consequently, this very low power level means weak encryption, which means weak security.

Now back to the business of biometric passports. Using this type of passport will require the holder to have their retina scanned while holding their passport in front of a reader. If both sets of data match, then the holder is clear to pass. However, anyone passing near to the RFID-based passport could, in theory, steal the information from the passport, or corrupt it, or possibly change it, causing the holder to fail the passport test.

Can this be done? Yes it can. A very good demonstration by U.K.-based SecureTest, a provider of penetration testing services for IP networks, recently proved it. Even worse, long-range scanning is technically possible as well.

So what’s to be done? In an age where there’s increasing concern about personal data security, one simple solution to RFID data theft lies in the kitchen cupboard—namely, tin foil. By simply wrapping an RFID card or passport in tin foil renders it impervious to any fraudulent reading and scanning. Not necessarily the most convenient or elegant method of data security, but one that works. Remember, though, to be very careful with this form of passport security when walking through airport security arches. Otherwise, it could turn into a rather alarming experience.